b'                            Office of the Inspector General\n\nSeptember 27, 1999\n\nJohn R. Dyer\nPrincipal Deputy Commissioner\n of Social Security\n\nActing Inspector General\n\n\nManagement Advisory Report \xe2\x80\x93 Identifying and Validating Non-Mission Critical\nCommercial Software for Year 2000 Compliance (A-14-99-11003)\n\n\nAttached is a copy of our subject final management advisory report. The objective of\nthis review was to determine whether the Social Security Administration\xe2\x80\x99s non-mission\ncritical commercial software had been identified and validated for Year 2000\ncompliance.\n\nYou may wish to comment on any further action taken or contemplated on our\nrecommendations. If you choose to comment, please provide your comments within the\nnext 60 days. If you wish to discuss the final report, please call me or have your staff\ncontact Daniel R. Devlin, Acting Assistant Inspector General for Audit, at\n(410) 965-9700.\n\n\n\n\n                                               James G. Huse, Jr.\n\nAttachment\n\x0c           OFFICE OF\n\n    THE INSPECTOR GENERAL\n\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n  IDENTIFYING AND VALIDATING\n\n     NON-MISSION CRITICAL\n\n         SOFTWARE FOR\n\n     YEAR 2000 COMPLIANCE\n\n\n September 1999   A-14-99-11003\n\n\n\n\n MANAGEMENT\n\nADVISORY REPORT\n\n\x0c                            Office of the Inspector General\n\n\nJohn R. Dyer\nPrincipal Deputy Commissioner\n of Social Security\n\nActing Inspector General\n\n\nManagement Advisory Report \xe2\x80\x93 Identifying and Validating Non-Mission Critical\nCommercial Software for Year 2000 Compliance\n\n\nThis final management advisory report presents the results of the subject review. We\nconducted this review to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\nnon-mission critical software had been identified and validated for Year 2000 (Y2K)\ncompliance. We met with SSA management on several occasions to discuss this\nreview, and, while management has developed plans to address some of our concerns,\nwe believe there are still issues that warrant management\xe2\x80\x99s attention.\n\nThe Office of Management and Budget (OMB) Circular A-130, Management of Federal\nInformation Resources, February 8, 1996, states that agencies should establish\noversight mechanisms that ensure each information system meets agency mission\nrequirements. The General Accounting Office Guide, Year 2000 Computing Crisis: An\nAssessment Guide (GAO/AIMD-10.1.14), September 1997, states that an enterprise-\nwide inventory of information systems for each business area should be conducted to\nprovide the necessary foundation for Y2K program planning. The Guide also states that\nagencies must determine which systems: (1) are mission critical, (2) support important\nfunctions, and (3) support marginal functions.\n\nSSA\xe2\x80\x99s heavy reliance on automated systems to accomplish its mission has presented it\nwith the enormous challenge of reviewing and converting all of its computer software for\nY2K compliance. SSA\xe2\x80\x99s Chief Information Officer has overall responsibility for the\nAgency\xe2\x80\x99s Y2K program; however, the Office of Systems (OS) has the day-to-day\nresponsibility of ensuring that changes are made to systems that support SSA\xe2\x80\x99s core\nbusiness processes. SSA defined mission critical systems as those systems that\nsupport core business processes. OS is also coordinating with other SSA components\nto ensure that changes are made to less critical systems, many of which are kept on\nSSA servers and personal computers. SSA estimates that it is supported by at least\n2,825 local area network servers with 59,095 workstations.\n\x0cPage 2 - John R. Dyer\n\nWe focused our review on Y2K readiness of the non-mission critical commercial\nsoftware maintained on SSA servers. We limited our review to non-mission critical\ncommercial software on SSA servers because: (1) both GAO and an independent\ncontractor reviewed SSA\xe2\x80\x99s mission critical software; (2) we wanted to expeditiously\nalert SSA about any of our concerns; and (3) software on servers is shared by multiple\nusers and would, therefore, be more important to SSA components than software on\npersonal computers.\n\nWe judgmentally selected servers used by the Offices of Disability Operations, Hearings\nand Appeals, and Quality Assurance as well as the Atlanta and Kansas City program\nservice centers, teleservice centers, field offices, and regional offices. We selected\nthese offices because they represented a cross section of SSA\xe2\x80\x99s components. Because\nour sample of servers was not randomly selected, the results of our review cannot be\nprojected.\n\nWith the assistance of the Office of Systems, Year 2000 Project Office, we obtained\ninventories of all non-mission critical commercial software and analyzed these\ninventories by region/component. We then compared the regional/component\ninventories to the inventory SSA submitted to OMB. We used the Check 2000 Client\nServer software (Check 2000)1 to scan SSA servers to identify commercial software\napplications not included in SSA\xe2\x80\x99s inventory of non-mission critical commercial software.\nSimilarly, we scanned SSA servers to identify data base and spreadsheet files\ncontaining two-digit dates. We selected data base and spreadsheet files for testing\nbecause those files were more likely to contain dates that were used in calculations and\nformulas. However, word processing files could also be at risk, specifically if they use\nembedded functions such as macros.2\n\nOur review identified two areas of concern that we believe management should\naddress to ensure Y2K compliance of SSA\xe2\x80\x99s non-mission critical commercial software.\nThese areas are discussed below.\n\nNon-Mission Critical Software Inventory Was Incomplete\nSSA\xe2\x80\x99s Y2K inventory of non-mission critical software was incomplete. We tested\n57 (approximately 2 percent) of SSA\xe2\x80\x99s estimated 2,825 servers. We identified\n216 copies of 22 commercial software applications that did not appear on SSA\xe2\x80\x99s\nY2K inventory of non-mission critical software. Of the 57 servers tested,\n52 (91 percent) contained at least 1 copy of the 22 software applications. Three of the\n22 were on 49 SSA servers. The 22 software applications represented a variety of\nsoftware applications. These applications included communications, word processing,\nand developmental software. For example, three were developmental applications used\nto develop in-house software. Appendix A shows by component/region the number,\nsoftware vendor, and function of the 22 software applications identified by component.\n\n1\n    This is a Y2K testing tool for networked personal computers licensed by Greenwich Mean Time.\n2\n    Macros are a series of keyboard and mouse actions recorded to a single key, symbol, or name.\n\x0cPage 3 - John R. Dyer\n\nWithout a complete Y2K inventory of non-mission critical software maintained on SSA\xe2\x80\x99s\nservers, SSA cannot ensure that all of its commercial software is Y2K compliant. Also,\nan incomplete inventory affects the validity of SSA\xe2\x80\x99s periodic reporting to OMB on the\nstatus of its Y2K progress\xe2\x80\x94especially SSA\xe2\x80\x99s May 1999 assertion that its non-mission\ncritical systems inventory and Y2K validation are complete.3\n\nWe identified certain conditions that we believe are the fundamental causes of the\nincomplete Y2K inventory. The instructions to complete the non-mission critical\nsoftware inventory were mostly verbal. We believe verbal instructions could easily be\ndegraded and changed especially with turnover of personnel and the communication\nthrough the lines of authority below the SSA Y2K representatives, referred to as Deputy\nCommissioner Coordinators (DCC). The DCCs were responsible for identifying the\nsoftware applications used by their respective components and reporting the inventories\nto OS. Our review determined that the DCCs did not use automated inventory tools to\ncomplete the Y2K inventory. Instead, they manually prepared the Y2K inventories of\ncommercial software.\n\nAs a result, there was no consistency in the approach used to complete the Y2K\ninventory, and the inventory was prone to human errors and omissions. For example,\nour analysis of regional/component inventories revealed that the Seattle Region did not\nreport its entire inventory until we questioned why it reported such a limited number of\nsoftware applications. Also, the inventory for the Commissioner\xe2\x80\x99s Office continues to\nshow no non-mission critical commercial software.\n\nThe Y2K inventory of software and validation of its Y2K compliance should be\ncompleted for all non-mission critical software, especially since there may be a risk that\na noncompliant software application important to SSA operations will not be operational\nin the year 2000.\n\nData Bases and Spreadsheets Contain Two-Digits\nOur tests of 167 data base and spreadsheet files used on 18 servers identified 54 files\n(about 32 percent) with two-digit dates. Thirty of the files were data bases and 24 were\nspreadsheets. Appendix B shows the number of files identified with two-digit dates by\nSSA component. Although our test was useful in that we identified files with two-digit\ndates, we did not analyze the files to determine how the two-digit dates were used or\nassess the importance of the data files containing two-digit dates.\n\nWe believe the next step in ensuring Y2K compliance is an evaluation of these files to\ndetermine the true consequences of two-digit dates and the importance of the data files.\nThis can only be determined after the context of the dates\xe2\x80\x99 use is understood. For\nexample, some data files may use the date as the report heading, while other files may\nuse the date in significant calculations. In addition, the way an application interprets a\ntwo-digit date may be different than the user intended and may differ between\n\n3\n    SSA reports the status of its year 2000 progress to OMB each quarter.\n\x0cPage 4 - John R. Dyer\n\napplications. Microsoft reports this risk for its products. For example, for Excel 97, an\napplication that SSA uses at its offices nationwide, Microsoft reports: \xe2\x80\x9cIf a date is\npasted from one application to another using only the last two digits of the year,\nMicrosoft Excel might parse the date differently than the originating application\ncalculated it.\xe2\x80\x9d\n\nParsing relates to an application\xe2\x80\x99s interpretation of a two-digit date. For example,\nMicrosoft Excel 97 interprets 1/1/00 through 12/31/29 as 1/1/2000 through 12/31/2029.\nSimilarly, it interprets 1/1/30 through 12/31/99 as 1/1/1930 through 12/31/1999. This\nexample suggests that users who continue to use two-digit dates in their data files must\nknow how an application interprets that date.\n\nFiles with two-digit dates could disrupt SSA\xe2\x80\x99s non-mission critical operations with\nsystem failures or corrupt the information in the file. A file is corrupt when it continues\noperating but produces unpredictable results. The result may be degradation of\nreporting or unexplainable system behavior. For example, one of the most visible\nproblems can be a file sort on two-digit year fields. Storing 1999 as 99 and 2000 as\n00 will cause 00 date fields to sort before the 99 date fields. Therefore, reports\ngenerated from the sort will be wrong.\n\nSome of the data files identified with two-digit dates may have been reviewed before our\nbriefings with SSA on the results of our review. However, SSA\xe2\x80\x99s response did not\nindicate they had been previously reviewed.\n\nConclusion, Management Response, and Suggested Actions\n\nWe presented the results of our review to SSA. Although not formal, we recommended\nthat SSA: (1) evaluate the risk that commercial applications have not been identified\nand inventoried by each component, (2) provide components access to Y2K software\ntools to ensure the Y2K inventory is complete, (3) validate Y2K compliance of any\nadditional software identified, and (4) identify important data files needed for continued\noperations and determine whether those files contain two-digit dates and correct those\ndates where needed.\n\nSSA took an aggressive approach in evaluating the results of our review. SSA provided\nexplanations for 13 of the 22 applications that were not on the Y2K inventory of non-\nmission critical commercial software. (For example, 4 of the 22 applications were on an\nOS list of nationally distributed software, but they were not on the official Y2K\ninventory.) SSA is still evaluating the remaining nine applications. After evaluating the\n54 data files containing two-digit dates, SSA reported that the files were Y2K compliant\nand not problematic. We believe similar evaluations are needed to determine the\nimportance and the potential impact of other data files containing two-digit dates.\n\nIn response to our recommendations, OS determined whether all non-mission critical\ncommercial software had been inventoried. As a result, OS determined that no further\n\x0cPage 5 - John R. Dyer\n\naction is needed for SSA field operations because users are unable to add commercial\nsoftware to the servers without the assistance of OS. With respect to Headquarters\ncomponents, OS has requested that each component interrogate local servers at least\ntwice before January 1, 2000, to ensure he non-mission critical Y2K inventory is\ncomplete. OS will also make automated Y2K software tools available to all\ncomponents. SSA did not indicate that any actions were planned to review data files.\n\nWhile SSA deserves credit for its leadership in addressing the concerns identified\nduring our review, SSA remains at risk that not all of its non-mission critical commercial\napplications and related data files will be corrected before January 1, 2000. At\nparticular risk are commercial applications that have not yet been identified in its\nnon-mission critical Y2K inventory and important data files containing two-digit dates.\nSSA should ensure that: (1) all commercial applications are inventoried and validated\nfor Y2K compliance, (2) important data files containing two-digit dates are corrected\nwhere needed, and (3) components are advised of any risks inherent with using\ntwo-digit dates for each of the commercial applications supported by SSA.\n\nAGENCY COMMENTS AND OFFICE OF THE INSPECTOR GENERAL\nRESPONSE\n\nIn response to our draft management advisory report, SSA has either agreed to take\naction or has taken action to address the concerns we raised. SSA also provided\nadditional information to clarify its efforts in addressing Y2K preparedness issues.\nSpecifically, SSA has purchased and is using two software packages to assist in\nidentifying files with two-digit dates. In addition, the Agency has instructed certain\ncomponents to review reports generated from these utilities to investigate and take\naction on potential Y2K problems. The full text of the Agency\xe2\x80\x99s comments are included\nin Appendix C.\n\nThere are two additional issues that we wish to clarify. In its response to our first\nrecommendation, SSA stated the DCC tracking report was not intended to be the\ncomplete inventory of all applications and commercial products used by SSA\ncomponents. We used the DCC tracking report because it served as the basis for the\nCommissioner\xe2\x80\x99s certification to OMB that SSA\xe2\x80\x99s non-mission critical software was Y2K\ncompliant.\n\nSecond, the Agency took exception to our statement that we found no evidence SSA\nprovided information about the risks of using two-digit dates or directed components to\ninventory and evaluate data files and correct them where needed. We acknowledge\nthat the corrective measures the Agency took to address potential Y2K problems\nindicate an awareness of the risks of using two-digit dates. As such, we have revised\nour report to more accurately reflect the action taken by the Agency.\n\n\n\n\n                                             James G. Huse, Jr.\n\x0cAPPENDICES\n\n\x0c                                                                                                   APPENDIX A\n\n                                         Commercial Software Inventory\n\n       We scanned 57 Social Security Administration (SSA) servers for software and identified\n       216 copies of 22 software applications not inventoried by SSA for Year 2000 (Y2K)\n       compliance. Fifty-two of the 57 servers had at least 1 copy of the applications. Also,\n       3 of the applications were on 49 of the 57 servers.\n\n                                                                                             Component/Region1\nNo.           Application                         Vendor             Function          OQA ODO OHA KCR ATR       Total\n1      ACT! Registry Backup                      Symantec      Contact Tracking                              2       2\n2      Bank Interest Calculator                  Sage          Interest Calculator            1    1                 2\n                             2\n3      Bounds Views                              Folio         Information Retrieval              10                10\n                 3\n4      B\xe2\x80\x99Trieve                                  Compsoft      Unknown                   1                           1\n5      Codewright Editor                         Premea        Development                                   1       1\n6      DisplayWrite                              IBM           Word Processing                               1       1\n                                             4\n7      Exchange Client for 95                    Microsoft     Communications            7    8    8   13   13      49\n                                     4\n8      Exchange Server                           Microsoft     Communications                                1       1\n                                         2\n9      Folio Bound Views                         Folio         Information Retrieval     3        11                14\n10     Hyper Access 5                            Hilgraeve     File Transfer             2         1    2    1       6\n                 5\n11     Jetform                                   Jetform       Form Design                    1              1       2\n                                 3\n12     Memory Master                             InSoft        Memory Utility                      1                 1\n                         3\n13     NetRemote                                 Brightwork    Medical Record                     10                10\n                                                               Management\n14     Outlook4                                  Microsoft     Electronic Mail           7    8    8   13   13      49\n15     Pathworks                                 DEC           Server Software                               2       2\n                     6\n16     PCFocus                                   Information   Unknown                   1                           1\n                                                 Builders\n17     PERL for NT4                              Activeware    Development                                   1       1\n18     Personal REXX                             Mansfield     Development                                   1       1\n                                                 Software\n19     Print to a File3                          Unknown       Print Uitlity                      10                10\n20     SQZ!                                      Symantec      Unknown                             1                 1\n21     Textware                                  Unknown       Unknown                        1              1       2\n                             7\n22     Twain Thunker                             Hewlett       Graphics Utility          7    8    8   13   13      49\n                                                 Packard\n       Number of Servers Tested                                                          7    8   11   15   16      57\n       Number of Copies of Applications on Servers Tested                               28   27   69   41   51     216\n       Number of Servers With Applications                                               7    8   11   13   13      52\n\n     See explanation of footnotes on next page.\n\n\n\n                                                                          A-1\n\x0c1\n    Component/Region\n\n\nOQA \xe2\x80\x93 Office of Quality Assurance and Performance Assessment\n\n\nODO \xe2\x80\x93 Office of Disability Operations\n\n\nOHA \xe2\x80\x93 Office of Hearings and Appeals\n\n\nKCR \xe2\x80\x93 Kansas City Region\n\n\nATR \xe2\x80\x93 Atlanta Region\n\n\n\nApplications Omitted From Y2K inventory\n2\n    Application included with other applications when installed.\n3\n    Application reportedly not used by component.\n4\n    Application on an Office of Systems list of nationally distributed software.\n5\n  Application on inventory under a new product name, Form Flow. However, the vendor\nindicated Form Flow is different product.\n\n\nApplications Not Omitted From Y2K inventory\n6\n    Application recorded on inventory with a different name, Focus PC.\n7\n    Software not in itself a separate application, but a graphics utility.\n\n\n\n\n                                                  A-2\n\n\x0c                                                                                     APPENDIX B\n\n\n                   Data Base and Spreadsheet Files\n\n                         With Two-Digit Dates\n\n\n  We tested 18 servers to identify data base and spreadsheet user files with two-digit\n  dates. Fifty-four files containing two-digit dates were identified, of which, 30 were data\n  bases and 24 were spreadsheets. These files were identified on 16 of the 18 servers\n  tested.\n\n\n                                      No. of   Total Files     Data    Failed DB2\n   Spread    Failed SS3\n\n           Component                   Files   That Failed1   Bases      Files\n      Sheets      Files\n\n                                      Tested   No.       %    Tested   No.     %\n    Tested    No.     %\n\nOffice of Disability Operations          31    6       19       4      1      25      27       5      19\nOffice of Hearings and Appeals           42    18      43      36      14     39       6       4      67\nOffice of Quality Assurance              28    12      43      18      5      28      10       7      70\nAtlanta/ Birmingham Region               24    6       25      10      4      40      14       2      14\nKansas City Region                       42    12      29      28      6      21      14       6      43\n                              Total      167   54      32      96      30     32      71       24     34\n\n  1\n      Files containing two-digit date\n\n  2\n      Data base\n\n  3\n      Spreadsheet\n\n\x0c                   APPENDIX C\n\n\nAGENCY COMMENTS\n\n\x0c                                                                          APPENDIX D\n\n\n MAJOR CONTRIBUTORS TO THIS REPORT\n\n\n   Office of the Inspector General\n\n   Gale S. Stone, Director, Systems Audits\n\n   Albert Darago, Audit Manager, Applications Controls\n\n   Wesley Lewis, Auditor-In-Charge\n\n   Carol Ann Frost, Program Analyst\n\n   Richard Ackerman, Program Analyst\n\n   Randy Townsley, Auditor\n\n   Anita McMillan, Auditor\n\n\n\nFor additional copies of this report, please contact the Office of the Inspector General\xe2\x80\x99s\nPublic Affairs Specialist at (410) 966-5998. Refer to Common Identification Number\nA-14-99-11003.\n\x0c                       APPENDIX E\n\n\nSSA ORGANIZATIONAL CHART\n\n\x0c'